Sprint says Virgin Mobile users are safe from account hijacks
Downplays report by developer that accounts are easily hackable
Computerworld - Sprint today denied that subscribers of its Virgin Mobile subsidiary were wide open to account hijacking attacks as claimed by an independent software developer this week.
In emailed comments, Sprint spokeswoman Stephanie Vinge Walsh said the company has multiple safeguards to protect customer accounts from intrusion and tampering by unauthorized users.
"It's important to note that there are many different overlapping safeguards in place to ensure our customers' privacy and security, and we have taken steps to further prevent intrusions and spoofing," Walsh said. "While we maintain confidentiality about our security measures, our customer accounts are monitored constantly for several types of activity that would indicate if something illegal or inappropriate may be taking place."
Walsh was responding to questions that arose from a Monday blog post by developer Kevin Burke. In it, Burke detailed how the username and password system used by Virgin Mobile to let users access their accounts online was inherently weak and open to abuse.
Virgin forces subscribers to use their phone numbers as their username and a six-digit number as their password, Burke noted.
Because the password is just six digits long, it is relatively easy to guess using brute-force password guessing tools, Burke claimed. Burke authored a password-guessing tool to crack his own password to demonstrate how easy it is to defeat Virgin Mobile's authentication. The tool was designed to test different 6-digit password combinations until it discovered the right one.
With the password and phone number, an attacker would be able to get a user's entire call records and texting history, change the handset associated with the number and change service address and password to lock the actual user out of an account, Burke wrote.
Burke said he went public with his discovery because Sprint did not fix the vulnerability after being told how easy it was to exploit. He also noted in his blog that Virgin Mobile subscribers had no easy way to mitigate any exposure to account hijacks.
In response, Sprint said it implemented a new procedure to lock out users from their accounts after four failed attempts. Burke described that move as ineffective because hackers could bypass it by making login attempts without sending any cookie data with the requests.
In her comments today, Walsh did not specifically address Burke's claims. Instead, she said the company has not received any reports of fraud affecting Virgin Mobile customers.
"We have had no unusual reports of fraud incidents or adverse consequences to our customers and believe that the total security measures in place prevent vulnerability of their accounts," Walsh said. "Payment card data is not visible on an account and we have additional processes in place to monitor and limit balance transfers and correction of inappropriate charges."
Walsh offered no details on what those measures might be.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- The Business Value of Continuous Delivery Download this whitepaper to learn more about the business value of Continuous Delivery and see why it could be a game changer for...
- Ten Factors Shaping the Future of Application Delivery Download this research report conducted by Enterprise Management Associates (EMA) to learn how those that are seeking to accelerate application delivery are leveraging...
- Software Asset Management: Ensuring Today's Assets Today's trends like BYOD and SaaS are new and exciting in terms of how they will help make our jobs more productive but...
- On-demand webinar - 7 Keys to Service Catalog Implementation Success Watch this webinar to learn 7 crucial keys to make your service catalog a success!
- Transform Your IT Service Management Watch this webinar, to learn how EasyVista can increase IT productivity & efficiency and deliver streamlined & integrated IT Service & Asset Mgmt. All Malware and Vulnerabilities White Papers | Webcasts